Because engineers generally cannot test their creations to the point of saturation, they must make do with a lot of substitutions: anticipation of all possible failure modes; a comprehensive set of requirements; dedicated validation and verification teams; designing with a built-in safety margin; formal verification where possible; and testing, testing, testing. If you did not test it, it does not work. In some cases, computers have become fast enough to permit testing every combination of bit patterns. Many, perhaps most, things you design cannot be tested to saturation. So it behooves us to try to anticipate how our designs will be used, certainly under nominal conditions, but also under non-nominal conditions, which usually place the system under higher stress. The paper considers how programmers have a range of techniques at their disposal.